Subscription to the full report on a daily basis can be obtained:
Send an eMail to dhsdailyadmin@mail.dhs.osis.gov with the subject "DHS Daily Open Source Infrastructure Report" and the following line in the body...subscribe.
To obtain a complete copy of the current report proceed to the DHS link below.
To obtain reports more than 10 business days old, send an eMail to DHS_Reports@e-computer-security.com. Be specific as to the reports you wish to receive.

• A toxic cloud formed after 300 gallons of hydrochloric
acid leaked at a storage facility near Texas City, Texas. The cloud forced
thousands of residents indoors and sent nine people to hospitals, an emergency
management official said October 25. – CNN

2. October
25, CNN – (Texas) Toxic cloud forces thousands in southeast Texas to
stay indoors. A toxic cloud that formed after 300 gallons of hydrochloric
acid leaked at a southeast Texas storage facility sent nine people to hospitals
and forced thousands of residents indoors, an emergency management official
said October 25. Four firefighters were among those who were hospitalized for
exposure after a tank ruptured at a storage facility near the Port of Texas
City, a spokesman of the local emergency management office said. More than
45,000 residents of Texas City were ordered to remain indoors, turn off air
conditioning units, and make sure all windows and doors were closed until the
vapor cloud dissipated. Officials did not immediately detail what caused the
tank to rupture at the Dallas Group of America’s facility near the port. City
officials were working
to clean up the leak, the spokesman told KTRK 13 Houston. None of those exposed
to the chemical cloud sustained life-threatening injuries, according to KTRK 13
Houston. Source: http://www.cnn.com/2012/10/25/us/texas-chemical-leak/index.html

• The United States filed a civil mortgage
fraud lawsuit against Bank of America, accusing it of selling thousands of
toxic home loans to Fannie Mae and Freddie Mac that went into default and
caused more than $1 billion of losses, Reuters reported October 24. – Reuters
See
item 10 below in the Banking and Finance Sector

• A fraud ring that attacked financial
transfer systems in an attempt to target wealthy high- end banking customers
used a complicated web of malware and compromised servers in several countries
to steal an estimated $78 million earlier in 2012, according to an analysis by
McAfee and Guardian Analytics. – Threatpost See item 14 below in the Banking and Finance Sector

• A federal cyber emergency response team
issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use
low-grade encryption are open to being spoofed and need to be upgraded. This
problem was found to affect some of the biggest companies in the tech industry
and several large banks. – The RegisterSee item 45 below in the Information Technology Sector

Details

Banking and Finance Sector

7. October
25, Help Net Security – (District of Columbia) Banker pleads
guilty to sharing personal information of account-holders. A former
personal banker from Washington, D.C., pleaded guilty to conspiracy to commit
bank fraud for his role in an identity theft scheme involving $121,400 in
forged checks, Help Net Security reported October 25. According to a statement
of offense, he and others participated in the scheme from November 2009 until
January 2010, conspiring to steal funds from the accounts of customers of
Wachovia Bank, now operating as Wells Fargo Bank. He began participating in the
scheme after he was approached by another person at the bank branch where he
worked. The person offered to pay him for providing the type of customer information
that would be needed to fraudulently obtain funds from customer accounts with
balances of at least $15,000. He subsequently obtained this information
concerning the accounts of seven customers, including their dates of births,
addresses, telephone numbers, and Social Security numbers, then turned over the
information and received $2,000 in cash. Various members of the conspiracy
obtained $72,800 and attempted to obtain another $48,600 by forging checks
drawn on five of the accounts targeted by the banker. Source: http://www.net-security.org/secworld.php?id=13839

8. October
24, American Banker – (International) ATMs may be top targets for crime: Verizon
report. More than half of intrusions in the financial industry in a recent
study led by Verizon involved tampering with ATMs, the company said in a report
published October 24. Overall, 61 percent of security threats involved physical
tampering, including the installation of skimming and camera devices on ATMs.
Roughly one in four threats involved malware that captures user names and
passwords. Another 22 percent involved hacking. According to the study, 56
percent of data breaches compromised ATMs. Another 21 percent of attacks
compromised database servers, while 13 percent involved Web servers. Overall,
96 percent of threats to banks originated externally and emanated mostly from
professional criminal organizations in Eastern Europe and elsewhere, according
to the study. Still, 9 percent of breaches involved employees of the target
company, one of the highest rates of internal breaches among industries the
group examined. Insiders were people who typically handled financial
transactions, such as bank tellers and loan officers, the study found. Source: http://www.americanbanker.com/issues/177_206/atm-may-be-top-targets-for-
crime-1053833-1.html

9. October
24, Las Vegas Review-Journal – (Nevada; California) Henderson
man faces charges in $15 million Ponzi scheme. A Henderson, Nevada man is
facing federal charges in Los Angeles in what authorities allege is a $15 million
Ponzi scheme, the Las Vegas Review-Journal reported October 24. The man was
arrested in Las Vegas on charges including mail and wire fraud in the
investment scheme, the Los Angeles U.S. Attorney’s Office said in a news
release. According to the indictment, the man falsely told investors he was
producing earnings of 1 percent to 5 percent a week through a commodity futures
trading program. In reality, his trading activity was unprofitable, causing him
to lose nearly all the money he used to trade commodities. Federal authorities
think he took in at least $15 million in the scheme and that his investors lost
at least $9 million. He solicited investments through Nevada-based companies,
including Axcess Automation LLC, and a hedge fund he called Axcess Fund LP. In
addition to the fraud allegations, he is accused of lying to the U.S.
Securities and Exchange Commission. Source: http://www.lvrj.com/news/henderson-man-faces-charges-in-15-million-ponzi-
scheme-175704591.html

10. October
24, Reuters – (National) U.S. sues BofA over alleged mortgage fraud. The
United States filed a civil mortgage fraud lawsuit against Bank of America,
accusing it of selling thousands of toxic home loans to Fannie Mae and Freddie
Mac that went into default and caused more than $1 billion of losses, Reuters
reported October 24. The case,
originally brought by a whistleblower, is the U.S. Department of Justice’s
first civil fraud lawsuit over mortgage loans sold to Fannie Mae or Freddie
Mac. According to a complaint filed in Manhattan federal court, Countrywide in
2007 invented a scheme known as the “Hustle” designed to speed up processing of
residential home loans. Operating under the motto “Loans Move Forward, Never
Backward,” mortgage executives tried to eliminate “toll gates” designed to
ensure that loans were sound and not tainted by fraud, the government said.
This resulted in “defect rates” that were roughly nine times the industry norm,
but Countrywide concealed this from Fannie Mae and Freddie Mac, and even
awarded bonuses to staff to “rebut” the problems being discovered, it added.
The scheme ran through 2009 and caused “countless” foreclosures, the lawsuit
alleged. Source: http://bottomline.nbcnews.com/_news/2012/10/24/14671246-us-sues-bofa-over-alleged-mortgage-fraud?lite

11. October
24, Dark Reading – (National) Barnes & Noble stores targeted in nationwide
payment card-skimming scam. Rogue PIN pad devices discovered at more than
60 Barnes & Noble stores nationwide appeared to be the handiwork of a
well-orchestrated financial fraud scheme that rigged just one device at each
store, Dark Reading reported October 24. The retail bookseller revealed that it
had halted use of all PIN pad devices in most of its 700 stores as of September
14 in the U.S. and that the FBI is investigating the case. The compromised PIN
pad devices represent less than 1 percent of the total number of these devices
in Barnes & Noble stores, according to the retailer. The compromised
devices were found in some stores in California, Connecticut, Florida, New
Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island.
Somehow, the criminals were able to gain physical access to the devices, which
Barnes & Noble described as having been tampered with and implanted with
“bugs” that let the fraudsters capture credit card and debit card PIN numbers.
Barnes & Noble declined to provide details on the type or features in the
rigged devices. Source: http://www.darkreading.com/insider-threat/167801100/security/attacks-
breaches/240009697/barnes-noble-stores-targeted-in-nationwide-payment-card-
skimming-scam.html

12. October
24, Softpedia – (International) Lloyds TSB scams: Account payment review
notifications and errors. Lloyds TSB customers should be on the lookout for
two particular phishing emails, Softpedia reported October 24. One of them is
entitled “Error on your account” and the other one “Account payment review
notification.” In both cases, users who take the bait and click on the links
are directed to compromised Web sites that host cleverly designed fake Lloyds
TSB Web pages. At the time of writing, the hijacked sites’ owners — one of the
sites belongs to an educational institution from China and the other one is a
Ukrainian site — had removed the phishing pages. However, Internet users must still
be cautious when receiving such messages since the cybercriminals can easily
hijack other Web sites and resume their operation. Source: http://news.softpedia.com/news/Lloyds-TSB-Scams-Account-Payment-
Review-Notifications-and-Errors-301812.shtml

13. October 24, Canton Press-News – (Ohio) Aultman Hospital reports data breach. Aultman
Hospital in Canton, Ohio, recently learned that an unidentified third party
gained unauthorized access to credit card and debit card information relating
to some purchases at the hospital’s gift shop between February and September
2012, the Canton Press-News reported October 24. Upon learning of the security
breach, Aultman Hospital took immediate steps to investigate and resolve the
situation. Aultman notified the appropriate law enforcement authorities,
including the Secret Service and the Canton Police Department. Aultman replaced
the hardware affected by the breach, and retained a forensic auditor to assist
with the ongoing investigation. Currently, Aultman did not know how many
individuals were affected by the breach, but the breach appeared limited to the
gift shop. Source: http://www.the-press-news.com/local
business/2012/10/24/aultman-hospital-reports-data-breach

14. October
24, Threatpost – (International) Operation High Roller banked on fast-flux
botnet to steal millions. A fraud ring that attacked financial transfer
systems in an attempt to target wealthy high-end banking customers used a
complicated web of malware and compromised servers in several countries to
steal an estimated $78 million earlier in 2012, Threatpost reported October 24.
While the attacks targeted financial systems, the victims seem to be limited to
companies involved in manufacturing, import-export businesses, and State or
local governments. Operation High Roller was at its peak during the spring,
using automated fast-flux techniques to move command and control and malware
servers from host to host, using providers in Kemerovo, Russia, as well as
other hosts in Albania, Scottsdale, Arizona, and San Jose, California. All of
them had ties to servers in Albania and China and relied on a cocktail of the
Zeus trojan and variants SpyEye and Ice IX, according to McAfee and Guardian Analytics
who jointly discovered the fraud ring in February and completed a deeper
analysis of the operation the week of October 22. “With no human participation
required, each attack moves quickly and scales neatly. This operation combines
an insider level of understanding of banking transaction systems with both
custom and off the shelf malicious code...” one of the report’s authors said.
Victims were generally lured in via phishing campaigns and were infected by
malware adept at bypassing even two-factor authentication and other security
devices in place. McAfee also found connections to the owners of a Pittsburgh
pizza restaurant who owned domains originally hosted on the Chinese server
hosting other Zeus malware. McAfee speculated that either the owners’ identities
were stolen or they were involved in the scheme and the restaurant is a front
for money laundering. Source: http://threatpost.com/en_us/blogs/operation-high-roller-banked-fast-flux-
botnet-steal-millions-102412

For more
stories, see items 38 and 45 below in the Information Technology Sector

Information Technology Sector

37. October
25, Softpedia – (International) Imperva experts reveal the best practices and
tactics to mitigate insider threats. Insider threats have become a major
issue, and many information security solutions providers have focused their
efforts on precisely determining how such threats can be mitigated. Security
firm Imperva contributed to this research with a report that examines the
legal, psychological, and technological tactics deployed by some high-profile
organizations to address these risks. A report published by Imperva in 2010
revealed that approximately 70 percent of employees planned to take copies of
work-related files when leaving the organizations they worked for. Furthermore,
according to the FBI, the U.S. economy suffers losses of over $13 billion each
year because of insider threats. “The digital information age offers unfettered
access for any actor trusted enough to enter our enterprise walls,” the co-
founder and CTO of Imperva explained. “For most organizations, insider threats
have moved beyond risk into reality; however, many threat vectors can be
protected against with a measured approach to business security.” After
analyzing the tactics and best practices employed by 40 organizations
considered to be highly effective at preventing insider threats, experts
determined that making a case for business security, employee education,
control access with checks and balances, and security organizing are key
elements. Furthermore, all employees with administrative and super user rights
should be monitored constantly. IT operations, IT security, Human Resources,
and legal - 16 -

38. October
25, Softpedia – (International) Advanced malware allows cybercriminals to
empty a bank account in one go. Security firm AVG released its Community
Powered Threat Report for the third quarter of 2012. The study focuses on the
2.0 version of the Blackhole exploit kit, the evolution of malware and other
threats that marked the past quarter. According to AVG, the Blackhole exploit
kit leads both the toolkit and the malware markets with a share of almost 76
percent, respectively 63 percent. Considering that the crimekit’s authors
launched the 2.0 version, experts say its market share will grow even further
and the attacks it utilizes in will become even more “aggressive” because of
the advanced evasion techniques recently integrated into it. “Blackhole is a
sophisticated and powerful exploit kit, mainly because it is polymorphic and
its code is heavily obfuscated to evade detection by anti-virus solutions. The
rapid update capabilities of the kit have also made it challenging for
traditional antivirus vendors to track, which are the main reasons it has a
high success rate,” said the CTO at AVG Technologies. “Through our
multi-layered security approach with real-time analysis at the endpoint, AVG
has been detecting a much higher rate of Blackhole Toolkit-based attacks than
other toolkits, as Blackhole’s creator seeks to stay ahead of their
competition,” he added. Source: http://news.softpedia.com/news/Advanced-Malware-Allows-Cybercriminals-to-Empty-a-Bank-Account-in-One-Go-302135.shtml

39. October
25, Softpedia – (National) RSA, AMD, Intel, Lockheed Martin and Honeywell team
up for cyber security alliance. IT industry companies Advanced Micro
Devices (AMD), Honeywell, Intel Corporation, Lockheed Martin, and RSA/EMC
joined forces to form a non-profit research consortium known as Cyber Security
Research Alliance (CSRA). Cybersecurity has become an important issue not only
for private organizations, but also for governments. Major economic powers,
including the United States, are focusing many of their resources on enhancing
both their defensive and offensive capabilities and most of them have realized
that collaboration with the private sector is vital. The consortium will focus
on developing viable approaches to technology transfers, tackling cybersecurity
R&D activities, and prioritizing the challenges posed by cybersecurity
based on the collaboration of all stakeholders. The CSRA hopes to bring
together all the key actors in an effort to address national cybersecurity
R&D, and bridge the existent gap between the private sector and the
government. Currently, the CSRA is also collaborating with the U.S. National
Institute of Standards and Technology to arrange a symposium in early 2013 to
bring together academia and researchers from both private and government
sectors. Source: http://news.softpedia.com/news/RSA-AMD-Intel-Lockheed-Martin-and-Honeywell-Team-Up-for-Cyber-Security-Alliance-302273.shtml

40. October
25, Help Net Security – (International) Phishing Websites
proliferate at record speed. A new phishing survey released by the
Anti-Phishing Working Group (APWG) reveals that while the uptime of phishing
Web sites dropped during the first half of 2012, cybercriminals were driving
substantial increases in the numbers of phishing Web sites they established to
steal from consumers. Meanwhile, cybercriminals are increasingly using hacked
Web servers of existing, legitimate Web sites to host phishing Web sites,
pointing up the need for Web site owners and hosting services need to be on
guard. APWG found that average uptimes of phishing attacks dropped to a record
low of 23 hours and 10 minutes in the first half of 2012, about half of what it
was in late 2011, and by far the lowest since the report series was inaugurated
in January 2008. The uptimes of phishing attacks are a vital measure of how
damaging they are, and are a measure of the success of mitigation efforts. The
longer a phishing attack remains active, the more money the victims and target
institutions lose. However, the study’s authors also found that there were more
phishing attacks in the period — at least 93,462, up 12 percent from the second
half of 2011. Source: http://www.net-security.org/secworld.php?id=13837

41. October
24, Ars Technica – (International) Phony certificates fool faulty crypto in apps
from AIM, Chase, and more. Researchers uncovered defects in a wide range of
applications running on computers, smartphones, and Web servers that could make
them susceptible to attacks exposing passwords, credit card numbers, and other
sensitive data. The Trillian and AIM instant messaging applications and an
Android app offered by Chase Bank are three apps identified as vulnerable to
man-in-the-middle (MitM) attacks. The weak implementations caused the programs
to initiate encrypted communications without first assessing the validity of
the digital certificates on the other end. As a result, one of the fundamental
guarantees of the secure sockets layer (SSL) — that the computer on the other
end of the connection belongs to the party claiming ownership — was fundamentally
compromised. Source: http://arstechnica.com/security/2012/10/faulty-ssl-fooled-by-phony-
certificates/

42. October
24, V3.co.uk – (International) Focus: McAfee updates Endpoint Security to
battle emerging threats. McAfee updated its Endpoint Security platform as
part of an ongoing effort to block a new generation of advanced persistent
threats (APTs). The company said that the update would better equip systems to
block highly sophisticated attack techniques, such as the use of master boot
record (MBR) sabotage techniques and the use of zero-day flaws for intrusion
attempts. The senior vice president and general manager of Endpoint Security
for McAfee told reporters the update would look to not only expand the scope of
protections for Endpoint Security, but also the new form factors. In addition
to the MBR protections introduced in a Deep Defender update, McAfee is updating
the Enterprise Mobility manager to add support for iOS 6 devices and adding to
the whitelisting protections on the McAfee Application Control administrator
tool. Source: http://www.v3.co.uk/v3-uk/news/2219444/focus-mcafee-updates-endpoint-security-to-battle-emerging-threats

43. October
24, Government Computer News – (International) Hackers’ new
superweapon adds firepower to DDoS attacks. Hackers now have access to what
is dubbed the High Orbit Ion Cannon (HOIC). HOIC is a free-to-download,
open-source program that can turn any user of any skill level into a powerful
hacker, at least in terms
of a distributed denial-of-service (DDoS) attack. It was designed to be
extremely easy to use — the user simply types in the URL of the target, sets
the HOIC to operate in supercharged or normal mode, and then launches the
attack. The program sends traffic to that URL in an attempt to overload the
site and disable it. Source: http://gcn.com/articles/2012/10/24/hackers-new-super-weapon-adds-firepower-to-ddos.aspx?admgarea=TC_SECCYBERSSEC

44. October
24, Softpedia – (International) ‘Download Microsoft Windows License’ spam
used as launchpad for malware attack. GFI Labs experts issued an alert to
warn users about a spam campaign that’s being used as a launchpad for a
Blackhole- Cridex malware attack. It starts with an email entitled “Re:Fwd:
Order 321312” which reads: Welcome, You can download your Microsoft Windows
License here. Microsoft Corporation.” Microsoft has nothing to do with the
emails and the emails have nothing to do with Windows licenses. Instead, when
users click on the link that’s behind “here,” they are taken to a Web site hosted
on a Russian domain, which contains and obfuscated JavaScript that is designed
to load another Web page. While the victim is viewing a message that reads
“Please wait a moment. You will be forwarded,” in the background, the Blackhole
exploit kit is working on trying to find a security hole to push malware onto
the victim’s computer. Source: http://news.softpedia.com/news/Download-Microsoft-Windows-License-Spam-Used-as-Launchpad-for-Malware-Attack-301923.shtml

45. October
24, The Register – (International) US-CERT warns DKIM email open to spoofing. The
U.S. Computer Emergency Response Team (US-CERT) issued a warning that
DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are
open to being spoofed and need to be upgraded to combat attackers wielding
contemporary quantities of computing power. This problem has been found to
affect some of the biggest names in the tech industry, including Google,
Microsoft, Amazon, PayPal, and several large banks. The DKIM system adds a
signature file to messages that can be checked to ascertain the domain of the
sender by checking with DNS. It also takes a cryptographic hash of the message,
using the SHA-256 cryptographic hash and RSA public key encryption scheme, so
it cannot be altered en route. The problem stems from the very weak key lengths
that are being used by the companies. Source: http://www.theregister.co.uk/2012/10/24/uscert_dkim_spoofing_flaw/

46. October
24, Threatpost – (International) Attackers turn to open DNS resolvers to
amplify DDoS attacks. A recent tactic adopted by distributed
denial-of-service (DDoS) attackers is the use of open DNS resolvers to amplify
their attacks. This technique, while not novel, is beginning to cause serious
problems for the organizations that come under these attacks. In a new report,
researchers associated with Host Exploit, a volunteer organization that tracks
malicious activity among hosting providers, said attackers have been making
good use of the numerous poorly configured open DNS resolvers in recent months.
These machines were plentiful, but it was not just open resolvers in and of
themselves that represented a problem. The issue arose when they were
misconfigured, allowing attackers to take advantage of weaknesses in the open
resolvers to use them as amplifiers for their attacks. Source: http://threatpost.com/en_us/blogs/attackers-turn-open-dns-resolvers-amplify-
ddos-attacks-102412

Communications Sector

47.
October 24, Flint Journal –
(Wisconsin, Indiana, Michigan) Cut fiber cables in Wisconsin, Indiana
responsible for Genesee County phone outages. Cut fiber cables in Wisconsin
and a computer card failure in Indiana led to the interruption of Windstream
phone service to several schools and other customers across the region, the
Flint Journal reported October 24. Fiber cables near Milwaukee, Wisconsin and Greencastle,
Indiana, were cut, Windstream said in an email. There also was a computer card
failure at a switching station in Fishers, Indiana. Windstream, a
communications company based in Little Rock, Arkansas, said service was
restored to Flint, Farmington Hills, and Grand Rapids in MIchigan. The company
did not say how many customers were affected. Source: http://www.mlive.com/news/flint/index.ssf/2012/10/cut_fiber_cables_responsible_f.html

Links

About Me

U.S. Army Retired Chief Warrant Officer with more than 40 years in information technology and 35 years in information security. Became a Certified Information Systems Security Professional in 1995 and have taught computer security in Asia, Canada and the United States. Wrote a computer security column for 5 years in the 1980s titled "for the Sake Of Security", penname R. E. (Bob) Johnston, which was published in Computer Decisions.
Motto: "When entrusted to process, you are obligated to safeguard"